Abstract
Distributed denial-of-service (DDoS) attacks continue to pose an important challenge to current networks. DDoS attacks can cause victim resource consumption and link congestion. A filter-based DDoS defense is considered as an effective approach, since it can defend against both attacks: victim resource consumption and link congestion. However, existing filter-based approaches do not address necessary properties for viable DDoS solutions: how to practically identify attack paths, how to propagate filters to the best locations (filter routers), and how to manage many filters to maximize the defense effectiveness. We propose a novel mechanism, termed PFS (Probabilistic Filter Scheduling), to efficiently defeat DDoS attacks and to satisfy the necessary properties. In PFS, filter routers identify attack paths using probabilistic packet marking, and maintain filters using a scheduling policy to maximize the defense effectiveness. Our experiments show that PFS achieves 44% higher effectiveness than other filter-based approaches. Furthermore, we vary PFS parameters in terms of the marking probability and deployment ratio, and find that 30% marking probability and 30% deployment rate maximize the attack blocking rate of PFS.
| Original language | English |
|---|---|
| Title of host publication | Proceedings - Conference on Local Computer Networks, LCN |
| Pages | 9-17 |
| Number of pages | 9 |
| DOIs | |
| Publication status | Published - 2011 Dec 1 |
| Event | 36th Annual IEEE Conference on Local Computer Networks, LCN 2011 - Bonn, Germany Duration: 2011 Oct 4 → 2011 Oct 7 |
Other
| Other | 36th Annual IEEE Conference on Local Computer Networks, LCN 2011 |
|---|---|
| Country | Germany |
| City | Bonn |
| Period | 11/10/4 → 11/10/7 |
Fingerprint
Keywords
- DDoS attack defense
- filter scheduling
- Network security
- router-based filtering
ASJC Scopus subject areas
- Computer Networks and Communications
- Hardware and Architecture
Cite this
PFS : Probabilistic filter scheduling against distributed denial-of-service attacks. / Seo, Dongwon; Lee, Heejo; Perrig, Adrian.
Proceedings - Conference on Local Computer Networks, LCN. 2011. p. 9-17 6114645.Research output: Chapter in Book/Report/Conference proceeding › Conference contribution
}
TY - GEN
T1 - PFS
T2 - Probabilistic filter scheduling against distributed denial-of-service attacks
AU - Seo, Dongwon
AU - Lee, Heejo
AU - Perrig, Adrian
PY - 2011/12/1
Y1 - 2011/12/1
N2 - Distributed denial-of-service (DDoS) attacks continue to pose an important challenge to current networks. DDoS attacks can cause victim resource consumption and link congestion. A filter-based DDoS defense is considered as an effective approach, since it can defend against both attacks: victim resource consumption and link congestion. However, existing filter-based approaches do not address necessary properties for viable DDoS solutions: how to practically identify attack paths, how to propagate filters to the best locations (filter routers), and how to manage many filters to maximize the defense effectiveness. We propose a novel mechanism, termed PFS (Probabilistic Filter Scheduling), to efficiently defeat DDoS attacks and to satisfy the necessary properties. In PFS, filter routers identify attack paths using probabilistic packet marking, and maintain filters using a scheduling policy to maximize the defense effectiveness. Our experiments show that PFS achieves 44% higher effectiveness than other filter-based approaches. Furthermore, we vary PFS parameters in terms of the marking probability and deployment ratio, and find that 30% marking probability and 30% deployment rate maximize the attack blocking rate of PFS.
AB - Distributed denial-of-service (DDoS) attacks continue to pose an important challenge to current networks. DDoS attacks can cause victim resource consumption and link congestion. A filter-based DDoS defense is considered as an effective approach, since it can defend against both attacks: victim resource consumption and link congestion. However, existing filter-based approaches do not address necessary properties for viable DDoS solutions: how to practically identify attack paths, how to propagate filters to the best locations (filter routers), and how to manage many filters to maximize the defense effectiveness. We propose a novel mechanism, termed PFS (Probabilistic Filter Scheduling), to efficiently defeat DDoS attacks and to satisfy the necessary properties. In PFS, filter routers identify attack paths using probabilistic packet marking, and maintain filters using a scheduling policy to maximize the defense effectiveness. Our experiments show that PFS achieves 44% higher effectiveness than other filter-based approaches. Furthermore, we vary PFS parameters in terms of the marking probability and deployment ratio, and find that 30% marking probability and 30% deployment rate maximize the attack blocking rate of PFS.
KW - DDoS attack defense
KW - filter scheduling
KW - Network security
KW - router-based filtering
UR - http://www.scopus.com/inward/record.url?scp=84862922646&partnerID=8YFLogxK
UR - http://www.scopus.com/inward/citedby.url?scp=84862922646&partnerID=8YFLogxK
U2 - 10.1109/LCN.2011.6114645
DO - 10.1109/LCN.2011.6114645
M3 - Conference contribution
SN - 9781612849287
SP - 9
EP - 17
BT - Proceedings - Conference on Local Computer Networks, LCN
ER -